aes algorithm specification

8/3/2019 AES Algorithm Specification

1/22

AES ALGORITHMSPECIFICATIONMuhammad Bilal

Network Architectureand Analysis Laboratory

Image Security 2058231


2/22

Overview

Introduction. Forward Substitute Byte Transformation. Finite Field: GF(p), GF(2n).

Construction (S-Box). Shift Rows. Mix columns. Add round Key. Putting all together. Few words and References.

2


3/22

Introduction

Designed by Rijmen-Daemen in Belgium.

Has 128/192/256 bit keys, 128 bit data.

An iterative cipher with key expenssion to array ofwords.

AES has 10/12/14 rounds with four stages, one ofpermutation and three of substitution: Substitute bytes: Uses an S-box to perform a byte-by-byte

substitution of the block.

ShiftRows: A simple permutation. MixColumns: A substitution that makes use of arithmetic over

GF(28).

AddRoundKey: A simple bitwise XOR of the current block with aportion of the expanded key.

3


4/22

Forward Substitute ByteTransformation (S-Box)

S-Box is a simple 16x16 size lookup table.

It contains all possible 256 single byte permutations.

Each byte of state is replaced by byte indexed by row(left 4-bits) & column (right 4-bits). Replacement is

multiplicative inverse in GF(28).

The main objective of S-Box operation to provideconfusion and non linearity.

4


5/22

Finite Field-Galois Field

A field is a set with two operations, addition andmultiplication: both satisfy closure

both associative

both commutative each has identity (0 and 1)

any element a has additive inverse.

any nonzero element a = 0 has multiplicative inverse a 1

multiplication distributive over addition

Fields with same number of elements areisomorphic.

In cryptography often use the fields: GF(p)

GF(p

n

) and particularly GF(2

n

)

5


6/22

Galois Fields GF(p)

GF(p) is the set of integers {0,1, ,p-1} with arithmetic operations moduloprime p

These form a finite field since have multiplicative inverses

Hence arithmetic is well-behavedand can do addition, subtraction,multiplication, and division withoutleaving the field GF(p)

6


7/22

Finding Inverses in GF7

EXTENDED EUCLID(m, b)

1. (A1, A2, A3)=(1, 0, m);

(B1, B2, B3)=(0, 1, b)

2. if B3 = 0

return A3 = gcd(m, b); no inverse

3. if B3 = 1

return B3 = gcd(m, b); B2 = b1 mod m

4. Q = A3 div B3

5. (T1, T2, T3)=(A1 Q B1, A2 Q B2, A3 Q B3)

6. (A1, A2, A3)=(B1, B2, B3)

7. (B1, B2, B3)=(T1, T2, T3)

8. goto 2


8/22

Inverse of 550 in GF(1759)8

Q A1 A2 A3 B1 B2 B3

1 0 1759 0 1 550

3 0 1 550 13 109

5 1 3 109 5 16 5

21 5 16 5 106 339 4

1 106 339 4 111 355 1


9/22

Galois Fields GF(pn)

A finitefield F has pn elements (prime p, integer n > 0). For any a F,

a + a + .+ a (p times) = 0.

Polynomials over pn, with n > 1, operations modulo pn donot produce a field.

GF(2n) polynomials with modulo-2 coefficient usingirreducible polynomial, generates a Galois field.

9


10/22

Galois Fields GF(2n)10

Motivation for using GF(2n).GF(2n) gives the integer of all range for n-bits

word.

The frequency of occurrence of integers aresame.

All the integers 0~n-1 has correspondingmultiplicative inverse.

Modified Euclids algorithm [1] compute theinverse with less computational complexity.

The modification make it possible to computedivision with less computation.1. Find the inverse element B-1(x).

2. A(x)/B(x) = A(x) . B-1(x).


11/22

Finding Inverses in GF(2n)

TENDED EUCLID[m(x), b(x)]

1. [A1(x), A2(x), A3(x)] = [1, 0, m(x)];[B1(x), B2(x), B3(x)] = [0, 1, b(x)]

2. if B3(x) = 0 return A3(x) = gcd[m(x), b(x)]; no inverse

3. if B3(x) = 1 return B3(x) = gcd[m(x), b(x)]; B2(x) = b(x)1mod m(x)

4. Q(x) = quotient of A3(x)/B3(x)

5. [T1(x), T2(x), T3(x)] = [A1(x)-Q(x)B1(x), A2(x)-Q(x)B2(x), A3(x)-QB3(x)]

6. [A1(x), A2(x), A3(x)] = [B1(x), B2(x), B3(x)]

7. [B1(x), B2(x), B3(x)] = [T1(x), T2(x), T3(x)]

8. goto 2

11


12/22

Multiplicative inverse of (x7 + x + 1)

mod (x8 + x4 + x3 + x + 1).12

Q A1 A2 A3 B1 B2 B3 1 0 x8 + x4 + x3

+ x + 10 1 x7 + x + 1

x 0 1 x7 + x + 1 1 x x4 + x3 + x2+ 1

x3 + x2 + 1 1 x x4 + x3 + x2+ 1

x3 + x2 + 1 x4 + x3 + x +1

x

x3 + x2 + 1 x3 + x2 + 1 x4 + x3 + x +1

x x6 + x2 + x +1

x7 1


13/22

Construction (S-Box)

Number the rows and columns of S-Box in ascendingorder.

Map each byte in the S-box to its multiplicative inversein the finite field GF(28); the value {00} is mapped to

itself. Then take affine transformation over GF(28):

bi = bi + b(i+4) mod 8 + b(i+5) mod 8 + b(i+6) mod 8 + b(i+7) mod 8 + ci

13


14/22

S-BOX14

0 1 2 3 4 5 6 7 8 9 A B C D E F

0 01 DE A5 63 6A 26 7E C9 7F 67 A4 05 03 64 2E 32

1 AE 04 BA B5 B2 50 3A 17 08 82 0F 94 ED 7C F5 71

2 6C 24 8A B9 D9 E2 CC 38 B0 6D EC 8D 3D CA 9D A9

3 B1 6F E3 80 35 3B B6 4A E7 21 55 B3 68 BD 6E 19

4 F0 16 6B EB 59 28 1D 2C D6 41 3F D5 C7 3E 8F 89

5 36 88 45 8E DD 8C 34 CD 2F A2 22 F7 AF 29 9E 91

6 E9 86 C0 40 18 83 F6 25 C2 A1 54 AB 66 EF A6 E8

7 B4 5A 84 C4 52 5F E5 02 5D EA D4 DB D2 85 5B 27

8 00 44 93 47 DF 46 1A D7 37 51 49 A8 1C B8 4F F9

9 C5 43 60 20 0C 57 7B A3 61 E1 2A E4 33 C6 53 74

A 0B 9A 76 E6 65 FF C3 3C 9F 75 56 F8 69 F3 9C 87

B 7D F4 5E FD BF 23 0D DA AA 99 95 9B 0E 5C 96 39

C D3 90 30 92 C1 2D 1B E0 81 97 15 72 10 1F 98 62

D 78 4D 13 73 AC CE D0 1E FE 8B 2B 0A 06 C8 4E F2

E CB CF 58 7A EE A0 B7 DC 12 42 FB FC 07 14 4B AD

F

D8 48 77 11 D1 A7 BC 70 F1 FA BB 79 09 BE 4C 31


15/22

Shift Rows

A circular byte shift in each 1st row is unchanged 2nd row does 1 byte circular shift to left 3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left

Decryption inverts using shifts to right Since state is processed by columns, this step

permutes bytes between the columns. The main objective of Shift Row operation is to provide

diffusion.

15


16/22

Mix Columns

Each column is processed separately.

Each byte is replaced by a value dependent onall 4 bytes in the column.

Matrix multiplication in GF(28

). The main objective of Mix Column operation is to

provide confusion but operation is linear.

16

Inverse transformation matrix timesthe forward transformation matrixequals the identity matrix.


17/22

Mix Columns

Another way ofMixcolumn: Consider each column of

state to be a four termpolynomial in GF(28).

Multiply each columnusing modulo (x4 + 1)with fixed polynomial. A(x)=01x3 + 03x2 + 01x +

02

In inverse operationeach column usingmodulo (x4 + 1) withfixed polynomial. b(x)=0Bx3 + 0Dx2 + 09x +

0E

b(x) = a1 (x) mod (x4 +1).

17

Inverse Mix Column


18/22

Add Round Key18

The AddRoundKey stage is, in effect, a form of Vernamcipher.

In AddRoundKey, the 128 bits of State are bitwiseXORed with the 128 bits of the round key.

Column wise, series of byte operations. The AES takes a 4-word (16-byte) input key and

produces a linear array of 44 words (176 bytes).

The main objective of Add Round Key operation is toprovide security.


19/22

Add Round Key

Key Expansion

Key expansion is based on diffusion (Rotate byte) fallowed by nonlinear confusion (S-Box) operation.

16 byte of initial key and 44 word array of size 176 bytes.

KeyExpansion(byte Key[16] word W[44])

{

word temp;

for(i = 0; i < 4; i++)

W[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]);

for(i = 4; i < 44; i++)

{

temp = W[i - 1];

if (i % 4 == 0)

temp = SubByte(RotByte(temp)) ^ Rcon[i / 4];

W[i] = W[i - 4] ^ temp;

}

}

19

Round constant (Rcon) array is computed byfollowing equation.

rcon(i) = x(254 + i) mod x8 + x4 + x3 + x + 1In GF(2).

The inclusion of a round-dependent round

constant eliminates the symmetry, between theprocess of key generation


20/22

AES Structure- PuttingAltogether

20


21/22

Few words21

Only AddRoundKey stage make use of key,cipher begins and ends with AddRoundKeyfunction because other stages are reversible.

An illusion box with a key. Final round consists of three stages, without

any reason this is structure of AES.


22/22

References22

Federal Information Processing StandardsPublication 197 November 26, 2001 Announcingthe ADVANCED ENCRYPTION STANDARD(AES).

A Very Compact S-box for AES, D. Canright,[email protected], Applied Mathematics Dept.Naval Postgraduate School Monterey CA 93943,USA.

www.cprogramming.com, [Tutorial] Implementingthe Advanced Encryption Standard.

Cryptography and Network Security Principlesand Practices, Fourth Edition By William Stallings,

Print ISBN-10 : 0-13-187316-4
mailto:[email protected]:[email protected]

aes algorithm specification

Documents